I hacked Citrix, says Russian hacker w0rm

Citrix, a US software company specialising in virtualisation and cloud computing, has reportedly been compromised by a Russian hacker called w0rm.

w0rm is infamous for several attacks over the past five years on a number of high profile targets including the BBC, CNET, Adobe and Bank of America. The identity of the person or group behind w0rm is unknown.

According to a blog post (in Russian), w0rm claims to have been able to gain access to the content management system on the Citrix network via an insecure password. From there, it was able to exploit a series of security holes to gain access to the company's administrative system including the remote assistance system.

Cyberint, a cyber-security intelligence company based in Israel, said it identified the hack in October and promptly tried to notify Citrix.

According to Elad Ben-Meir, vice president of marketing at Cyberint, the company made repeated efforts to notify Citrix but received no response. In addition, the hacker w0rm tweeted Citrix with a link to its blog posting on 25 October 2015 and says it received no response.

SCMagazineUK.com has made several attempts to contact Citrix for a comment today but at the time of publication had not received a reply.

According to Ben-Meir, an analysis of w0rm's attack showed that it had gained access to all of Citrix's customers through the administrative system. This would have enabled an attacker potentially to bypass customers' security systems and upload malware undetected.

“Citrix offer a platform for remote assistance – [w0rm] could if he wanted to – but he didn't actually use it, but if he wanted to he could penetrate every endpoint of Citrix customers out there,” said Ben-Meir.

“Essentially if he had wanted to, he could have put malware into every end user of every Citrix customer which then would allow it to either keylog the things the people type, he could steal sensitive information from those end points, or he could use those endpoints as a botnet to run DDos attacks,” he continued. “A hacker that gains access to that amount of PCs is basically really powerful.”

This would have been “undetectable”, he said up until the point that the attacker tried to activate the malware or exfiltrate data, depending on the security systems installed on the organisation's system.

Ben-Meir said that it was not possible to say whether the vulnerability that w0rm detailed in its blog might have been exploited by a previous hacker.

Tony Pepper, CEO of Egress Software, said in an email comment sent to SCMagazineUK.com that this latest episode of hacking calls into question the ability of organisations to deploy effective security.